39ab06d7e3500d9f253612555083f17c11b4d1d46c147855bdc02b23325a51a7

General

Target

64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Size

139KB
MD5

64a6beb9acf9504efe80438d641faec3
SHA1

7f82d669536301c72fceafafb70eb8b7b420f625
SHA256

39ab06d7e3500d9f253612555083f17c11b4d1d46c147855bdc02b23325a51a7
SHA512

71c12663bc50ee27dcb8f0071cb153884709c6a02adb0fd4c311cb7e49749f96735c490f56773d42a63655b3b13d9f94fc525631bc404e13b311832103119533
SSDEEP

3072:q+pxY6Z1lCQ26ktBBKFH57bE/60NRVpX9lFsy/gEJiK+6A41kmNe+p:NxdopXDsALZpXl7IEJiK/ro

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\help\B41346EFA848.dll	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
File created	C:\Windows\help\B41346EFA848.dll	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\ = "SSUUDL"	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ = "C:\\Windows\\help\\B41346EFA848.dll"	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1DBD6574-D6D0-4782-94C3-69619E719765}\InProcServer32\ThreadingModel = "Apartment"	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeBackupPrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
Token: SeRestorePrivilege	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2748	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2748	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2748	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2748	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	30
PID 2056 wrote to memory of 2756	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2756	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2756	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	32
PID 2056 wrote to memory of 2756	2056	64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64a6beb9acf9504efe80438d641faec3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 2.bat
  2⤵
  PID:2756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
64B

MD5
34b746fa1c2ae741c761a54e77a2e96b

SHA1
f6d0a556884368a368ffe66615adca050080ad60

SHA256
d39d3be074eaabf568c9e425c58b43a5bd1d130ec8e5f450c170bf398444dcf2

SHA512
94d589999d003dabfd794c97ebe415ac7c6f31761ce1ae4637601395819e07d5f1583f7235d8f21ec9e05dad74a729711d9bde79b8a66174673591819039da6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat

Filesize
63B

MD5
4b7448d3e37bfd461b5718a4350c8c29

SHA1
f93e70ff00102528092589e7556f52e2169ccf83

SHA256
9848c9217157365d6f7cff7d7b3281b048f175640e3ea176f93adf6268589642

SHA512
b95b110a8a150132f83ddda8e907a57dfebfc43a9ab7b2896a2fa65260982bbc12f2a645394b05acce06cce04396d5e89561deee040f4022206c6c143ea68402

Download Submit
\Windows\Help\B41346EFA848.dll

Filesize
125KB

MD5
baa029b6e4b0f982b4dcf03bea6dc6ff

SHA1
49c5ac1431f80c135a41516a3e65b1fd1afc6de4

SHA256
681721ffe9b206b710f6b5dfff4e9c93dabd794961683f40c33451fb2fab61ee

SHA512
bc67a22566b96463579548800cec25a5a89e2f2e8793683daefe20d8ece65dab08bec33007f2b049bbb56764ea7268baf15a5a6ed4f54bbfafc2b1c4ec56f752

Download Submit
memory/2056-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2056-11-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-2-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2056-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-24-0x0000000000370000-0x00000000003DB000-memory.dmp

Filesize
428KB

Download
memory/2056-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-26-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2056-27-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-28-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2056-30-0x0000000000370000-0x00000000003DB000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing